All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2017

{"result": {"zdt": [{"lastseen": "2016-04-19T02:37:52", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "MustLive", "published": "2013-02-19T00:00:00", "type": "zdt", "title": "ZeroClipboard XSS vulnerabilities", "enchantments": {"score": {"modified": "2016-04-19T02:37:52", "value": 3.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2013-02-19T00:00:00", "href": "http://0day.today/exploit/description/20396", "id": "1337DAY-ID-20396", "sourceData": "These are Cross-Site Scripting vulnerabilities in ZeroClipboard.\r\n\r\nLast week I've made my research of these vulnerabilities and informed all\r\ndevelopers (previous and current) of ZeroClipboard.\r\n\r\nWhen I've downloaded ZeroClipboard in September 2011, when I was writing my article Attacks via clipboard\r\n(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-October/008056.html), where I wrote about different attacks via clipboard, such as XSS, CAS (which leads to DoS or Code Execution), attacks on download managers which monitor clipboard (which leads to manual downloading of malware or even Automatic File Download), clipboard spamming, clipboard phishing and clipboard malwaring, I mentioned about it in the article. That my examples of JavaScript code (for IE) or ActionScript code (for all browses) can be used for such attacks, or to use ZeroClipboard.\r\n\r\n-------------------------\r\nAffected products:\r\n-------------------------\r\n\r\nVulnerable are ZeroClipboard 1.0.7 and previous versions. This is concerning\r\nZeroClipboard developed by original author (Joseph Huckaby). There are new\r\nversions, developed by new authors (Jon Rohan and James M. Greene), in which\r\nthey became fixing these vulnerabilities - one XSS in 1.0.8 and another in\r\n1.1.4 version. The last version ZeroClipboard 1.1.7 is not affected.\r\n\r\nOriginal version by Joseph has two flash-files (ZeroClipboard.swf and\r\nZeroClipboard10.swf) and newer versions by Jon and James have only one\r\nflash-file (ZeroClipboard.swf).\r\n\r\n----------\r\nDetails:\r\n----------\r\n\r\nIn September 2011 I've not made any assessment of ZeroClipboard, so draw\r\nattention only on XSS via copying to buffer (it exists in test.html from\r\narchive of original ZeroClipboard, because flash-application doesn't\r\nsanitize input before copying into buffer, similarly as it can be used for\r\nabove-mentioned XSS attacks via pasting). This XSS can be triggered at\r\ntesting page, where information about copied text is shown and XSS occurs,\r\nor at pasting into html-forms (as described in my article).\r\n\r\nThen hip made his assessment of ZeroClipboard recently\r\n(http://packetstormsecurity.com/files/119968/WordPress-WP-Table-Reloaded-Cross-Site-Scripting.html).\r\nHe draw attention only concerning this flash-file in WP-Table-Reloaded\r\nplugin for WordPress, but it's not just part of the plugin, it's third-party\r\napplication, which is used in multiple web applications and at multiple\r\nsites (as standalone, as in different webapps). So I'm giving detailed\r\ninformation about ZeroClipboard.\r\n\r\nI suggest instead of hip's payload \"a\\%22))}catch(e){alert(1)}//\" to use my\r\nvariant - in this case there will be no cyclings of alertbox.\r\n\r\nhttp://site/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=\\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//\r\n\r\nCross-Site Scripting (WASC-08):\r\n\r\nIn WP-Table-Reloaded XSS works just with parameter id (this is modified\r\nversion of swf-file, so there are different modification of it). In official\r\nversion of ZeroClipboard it'll not work without \"&width&height\", so it's\r\nneeded to set all parameters.\r\n\r\nhttp://site/ZeroClipboard.swf?id=\\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n\r\nhttp://site/ZeroClipboard10.swf?id=\\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n\r\nAnd XSS via copying XSS payload into buffer, described above.\r\n\r\nThis is very widespread flash-file (both versions), as you can find out via\r\nGoogle dorks.\r\n\r\ninurl:zeroclipboard.swf - about 80500 results\r\ninurl:zeroclipboard10.swf - about 9520 results\r\n\r\nSome of these zeroclipboard.swf can be newer versions (with fixed XSS), but\r\ntens of thousands of swf-files (and sites with them) are vulnerable. For\r\nlast 14,5 years I saw ZeroClipboard and similar flash-files (for copying\r\ninto clipboard) at a lot of web sites. From small sites, till large sites,\r\nsuch as slideshare.net (this is just one more hole to those multiple holes,\r\nwhich I've informed them about during last years, and they always don't care\r\nabout security of their site - or ignored vulnerabilities, or hiddenly fixed\r\none hole without any response - typical lame approach, so this hole is going\r\ndirectly to full disclosure).\r\n\r\nhttp://www.slideshare.net/javascripts/plugins/ZeroClipboard.swf?id=\\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height\r\n\r\nBest wishes & regards,\r\nMustLive\r\nAdministrator of Websecurity web site\r\nhttp://websecurity.com.ua\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/20396"}]}}